Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix Arbitary Code Execution
  • Loading branch information
alromh87 committed Oct 6, 2020
1 parent 0a17c0a commit 88ff5ee
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 17 deletions.
31 changes: 16 additions & 15 deletions lib/index.js
Expand Up @@ -3,6 +3,7 @@ var fs = require('fs');
var path = require('path');
var async = require('async');
var child_process = require('child_process');
const shellescape = require('shell-escape')

var fsPath = {
_win32: process.platform === 'win32',
Expand Down Expand Up @@ -55,9 +56,9 @@ var fsPath = {
callback(err);
} else {
if (that._win32) {
cmd = 'echo d|xcopy /s /e /y "' + path.join(from, '*') + '" "' + dist + '"';
cmd = 'echo d|xcopy /s /e /y ' + shellescape([path.join(from, '*')]) + ' ' + shellescape([dist]);
} else {
cmd = 'cp -f -R -p ' + path.join(from, '*').replace(/ /g, '\\ ') + ' ' + dist.replace(/ /g, '\\ ');
cmd = 'cp -f -R -p ' + shellescape([path.join(from, '*')]) + ' ' + shellescape([dist]);
}
child_process.exec(cmd, function (error, stdout, stderr) {
callback && callback(error);
Expand All @@ -66,9 +67,9 @@ var fsPath = {
});
} else if (stats.isFile()) {
if (that._win32) {
cmd = 'echo f|xcopy /y "' + from + '" "' + dist + '"';
cmd = 'echo f|xcopy /y ' + shellescape([from]) + ' ' + shellescape([dist]);
} else {
cmd = 'cp -f -p ' + from.replace(/ /g, '\\ ') + ' ' + dist.replace(/ /g, '\\ ');
cmd = 'cp -f -p ' + shellescape([from]) + ' ' + shellescape([dist]);
}
child_process.exec(cmd, function (error, stdout, stderr) {
callback && callback(error);
Expand All @@ -88,18 +89,18 @@ var fsPath = {
if (stats.isDirectory()) {
if (this._win32) {
// windows
cmd = 'echo da|xcopy /s /e "' + path.join(from, '*') + '" "' + dist + '"';
cmd = 'echo da|xcopy /s /e ' + shellescape([path.join(from, '*')]) + ' ' + shellescape([dist]);
} else {
// linux or mac
cmd = 'cp -f -R -p ' + path.join(from, '*').replace(/ /g, '\\ ') + ' ' + dist.replace(/ /g, '\\ ');
cmd = 'cp -f -R -p ' + shellescape([path.join(from, '*')]) + ' ' + shellescape([dist]);
}
} else if (stats.isFile()) {
if (this._win32) {
// windows
cmd = 'echo fa|xcopy "' + from + '" "' + dist + '"';
cmd = 'echo fa|xcopy ' + shellescape([from]) + ' ' + shellescape([dist]);
} else {
// linux or mac
cmd = 'cp -f -p ' + from.replace(/ /g, '\\ ') + ' ' + dist.replace(/ /g, '\\ ');
cmd = 'cp -f -p ' + shellescape([from]) + ' ' + shellescape([dist]);
}
}
cmd && child_process.execSync(cmd);
Expand All @@ -115,13 +116,13 @@ var fsPath = {
if (that._win32) {
// windows
if (stats.isDirectory()) {
cmd = 'rd /s /q "' + from + '"';
cmd = 'rd /s /q ' + shellescape([from]);
} else if (stats.isFile()) {
cmd = 'del /f "' + from + '"';
cmd = 'del /f ' + shellescape([from]);
}
} else {
// linux or mac
cmd = 'rm -rf ' + from.replace(/ /g, '\\ ');
cmd = 'rm -rf ' + shellescape([from]);
}
if (cmd) {
child_process.exec(cmd, function (error, stdout, stderr) {
Expand All @@ -141,13 +142,13 @@ var fsPath = {
if (this._win32) {
// windows
if (stats.isDirectory()) {
cmd = 'rd /s /q "' + from + '"';
cmd = 'rd /s /q ' + shellescape([from]);
} else if (stats.isFile()) {
cmd = 'del /f "' + from + '"';
cmd = 'del /f ' + shellescape([from]);
}
} else {
// linux or mac
cmd = 'rm -rf "' + from + '"';
cmd = 'rm -rf ' + shellescape([from]);
}
cmd && child_process.execSync(cmd);
} catch (e) {}
Expand Down Expand Up @@ -261,4 +262,4 @@ var fsPath = {
});
}
};
module.exports = fsPath;
module.exports = fsPath;
5 changes: 3 additions & 2 deletions package.json
Expand Up @@ -21,9 +21,10 @@
},
"homepage": "https://github.com/pillys/fs-path",
"dependencies": {
"async": "~0.9.0"
"async": "~0.9.0",
"shell-escape": "^0.2.0"
},
"description": "file and directory op libs, find, findSync, mkdir, mkdirSync, copy, copySync, remove, removeSync, writeFile, writeFileSync",
"readmeFilename": "README.md",
"license": "MIT"
}
}

1 comment on commit 88ff5ee

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2020-8298 was assigned to this commit.

Please sign in to comment.